IN: Little Red Door Cancer Services of East Central Indiana hacked by TheDarkOverlord (CORRECTED AND UPDATED)
CORRECTION: On January 17, DataBreaches.net learned that although this site accurately reported on statements made by Aimee Fant, Executive Director of Little Red Door Cancer Services of East Central Indiana (LRD) in an internal email to those involved in addressing a hack by TheDarkOverlord, the director’s statements to her staff and colleagues allegedly contained errors or somewhat misleading explanations. Some of those errors were allegedly repeated in a press release the agency subsequently released to news outlets in Indiana.
In an encrypted chat with TheDarkOverlord today, TDO claimed that:
- There was no ransomware involved in the attack on LRD. According to their statements to DataBreaches.net, TDO did what it has done in the past to other targets: it hacked LRD, exfiltrated their data, and then demanded payment not to release the data publicly. In this case, they also wiped the server (but not the backup).
- TDO stated that the ransom/extortion was for them not to publicly release (leak) the data.
- No data were encrypted by TDO at all.
- Although the director stated that the hacker(s) were the same hackers who attacked the City of Anderson in November, TDO firmly denies that they ever hacked the City of Anderson. When asked whether anything in their ransom communications might have suggested that they were the City of Anderson hackers, TDO stated that there was nothing that would have suggested that. To the contrary, TDO appeared quite baffled as to why LRD was claiming any connection to the City of Anderson ransomware attack or why they were mentioning ransomware at all.
DataBreaches.net will follow up on this, and has reached out to LRD for a response to TDO’s claims, but at the present time, instead of this being a ransomware attack, it appears to be an attack consistent with TDO’s past attacks involving ransom or extortion, but not ransomware.
As of late this afternoon, TDO indicated that it would be leaking the data of a “few thousand” people. Those data, they claim, do include some diagnostic/clinical information.
Sunday is supposed to be a day of rest, but nobody may be resting today at Little Red Door Cancer Services of East Central Indiana because LRD is trying to recover from a ransomware attack that they had not yet disclosed publicly.
LRD is a non-profit agency in Indiana that offers services for cancer patients, resources for those in need and information. According to their mission statement,
The mission of Cancer Services of ECI – Little Red Door is to reduce the financial and emotional burdens of those dealing with a cancer diagnosis, as well as promote cancer prevention, early detection and wellness to reduce cancer rates and improve cancer survivorship in our region.
In an internal email sent today by their Executive Director, Aimee Fant, to those involved in addressing their current situation, Fant reports that the agency has received a lot of support and assistance from the FBI, and that the good news is that their data was backed up in the cloud and that they will not have to pay ransom to get their data back.
Fant indicated that the attackers originally wanted $43,000, but even though the demand was eventually reduced to less than half of that, “They are not getting a dime.”
In this case, the attacker or collective of attackers are well-known to regular readers of this site, although this appears to be the first case to publicly tie TheDarkOverlord (TDO) to a known ransomware attack. In past attacks that were made public, TDO made ransom demands, but no ransomware had been involved.
The LRD ransomware attack was not TDO’s first ransomware attack, however. Although TDO was never named in media coverage at the time, DataBreaches.net learned today that TDO was reportedly behind the attack on the City of Anderson in November. In that case, Madison County paid $21,000 to get the decryption key. LRD is aware that they are dealing with the same attackers as the City of Anderson case, because Fant’s email notes:
Our agency’s terminal server and backup drive was hacked and the data is being held ransom on Wed. evening by the same criminals who hacked the City of Anderson’s government server. Madison County paid the ransom, so I do want you to understand the gravity up front.
The attack on LRD seems to have first been detected Thursday when several employees started discussing strange text messages they had received.
The bad news, Fant claimed in today’s email, is that the staff’s Social Security numbers and agency information is already on the dark web. A spokesperson for TDO, who forwarded that email to DataBreaches.net from within LRD’s system using the email account of their Director of Client Services and Education, disputes that statement. “In regards to their claims of their data and information being on the dark web, we must dispute this as this is most inaccurate,” the spokesperson claimed.
But in addition to staff’s SSN, there may be other personal information involved in what TDO acquired. Although Fant wrote, “They [the FBI] stated that we don’t have sensitive information regarding donors and clients- aside from phone numbers and email addresses,” TDO claims that they acquired a lot of personal information, including diagnoses of clients.
Their claim may have some support in Fant’s closing remarks in which she wrote, “We are going to be okay but I must admit, the FBI and IT consultants said this is one of the most pervasive “hits” they have seen.”
In past cases, TDO has either put data up for sale on the dark web or just dumped it if their victims did not meet their demands. When asked what TDO will do in this case, assuming LRD does not meet their payment demand, the spokesperson stated, “If Little Red Door does not comply with our requests, we will release what should be released, and monetise what should be monetised” (spelling as in the original).
DataBreaches.net sent a preliminary email inquiry to LRD, informing them that this site had become aware of their incident and cautioning them that their email system was compromised and that TDO could be reading their emails about this incident. This site suggested they use secure voice communications, but did not receive any response. A subsequent attempt to call their executive director was unsuccessful, as her voicemail box was full. DataBreaches.net then sent a second email inquiry about the incident, noting, however, that Fant should assume TDO could read all her responses if she chose email rather than telephone. LRD did not respond to this site’s inquiries by the time of this publication.
At the present time, then, it is unknown whether an employee improperly clicking on a link had unintentionally allowed the ransomware infection, what type of ransomware was involved, and why LRD believes their data are up for sale on the dark web when TDO says they are not up for sale.
This post will be updated if more information becomes available.
CORRECTION: This post was edited post-publication because it incorrectly linked to the wrong LRD. The LRD in question is the one in Muncie, Indiana, and not the one in Indianapolis. DataBreaches.net apologizes profusely for the error.